Sign in with
Sign up | Sign in
Your question

PIX firewalling web servers

Last response: in Networking
Share
Anonymous
July 23, 2004 8:06:08 PM

Archived from groups: comp.security.firewalls (More info?)

Hi,

We need to run a firewall in front of our web servers. They are on
multiple subnets, so the solution would seem to be to have the internet
connection coming into a perimeter router, then to the firewall, then to
an internal router and out to the servers. I'm having a bit of
difficulty finding any examples of this configuration, although it must
be in use a lot. Could anyone run through the specifics or provide an
example configuration? If possible I'd like to avoid running NAT and PAT.

--
Daniel
Anonymous
July 23, 2004 10:41:37 PM

Archived from groups: comp.security.firewalls (More info?)

Daniel Foster wrote:

> Hi,
>
> We need to run a firewall in front of our web servers.

- Why?
- What kind of 'firewall'? Packet filter or proxy?

> They are on
> multiple subnets, so the solution would seem to be to have the internet
> connection coming into a perimeter router, then to the firewall, then to
> an internal router and out to the servers.

Ever thought of using VLAN's?

> I'm having a bit of
> difficulty finding any examples of this configuration, although it must
> be in use a lot. Could anyone run through the specifics or provide an
> example configuration? If possible I'd like to avoid running NAT and PAT.

The PIX is not a router.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980
Anonymous
July 23, 2004 10:41:38 PM

Archived from groups: comp.security.firewalls (More info?)

Wolfgang Kueter wrote:

>
>
>>They are on
>>multiple subnets, so the solution would seem to be to have the internet
>>connection coming into a perimeter router, then to the firewall, then to
>>an internal router and out to the servers.
>
>
> Ever thought of using VLAN's?


BAD idea. Do you know what happens to the vlan config on most switches
when the mac address table overflows? They become "hubs" (all packets go
to all ports) until you reboot them. It's trivial for a hacker to write
a prgram that floods out packets with different random mac addresses.
send those packets through the vlan switch, and in about 10 seconds or
so, no more vlans, the whole thing is wide open.
Related resources
Anonymous
July 24, 2004 2:50:52 AM

Archived from groups: comp.security.firewalls (More info?)

On Fri, 23 Jul 2004 16:35:33 -0400, "T. Sean Weintz" <strap@hanh-ct.org>
wrote:

>Wolfgang Kueter wrote:
>
>>
>>
>>>They are on
>>>multiple subnets, so the solution would seem to be to have the internet
>>>connection coming into a perimeter router, then to the firewall, then to
>>>an internal router and out to the servers.
>>
>>
>> Ever thought of using VLAN's?
>
>
>BAD idea.

GOOD idea if all the attached services are at the same trust level.

Private VLANs combined with a dot1q trunk into the firewall are ideal for
running in *lots* of external services.


> It's trivial for a hacker to write
>a prgram that floods out packets with different random mac addresses.

If they have penetrated a box to the extent of being able download and
build tools like Macof , one has for more to worry about than attempts to
overflow the cam table.

The methods to secure a switch from such attacks are well documented.
Any attempts to flood through that port will result in disconnection.

greg

--
Konnt ihr mich horen?
Konnt ihr mich sehen?
Konnt ihr mich fuhlen?
Ich versteh euch nicht
Anonymous
July 26, 2004 2:54:25 PM

Archived from groups: comp.security.firewalls (More info?)

On Fri, 23 Jul 2004 22:50:52 +0100, Greg Hennessy wrote:

[ about flooding switches with macof ]

> The methods to secure a switch from such attacks are well documented.
> Any attempts to flood through that port will result in disconnection.

And, the behavior Weintz describes of a switch with VLANs is
identified as a bug by (at least) Cisco, and subsequently should
be fixed in recent switching software.

Been on holidays and didnt notice this thread until now, sorry
for the late reply.

--
New and exciting signature!
Anonymous
July 26, 2004 5:42:15 PM

Archived from groups: comp.security.firewalls (More info?)

On 26 Jul 2004 10:54:25 GMT, Eirik Seim <eirik@mi.uib.no> wrote:


>
>And, the behavior Weintz describes of a switch with VLANs is
>identified as a bug by (at least) Cisco, and subsequently should
>be fixed in recent switching software.

Exactly, if one requires a very high level of port density, switch +
firewall is far preferable to filling racks up with firewalls at 20 fast-e
ports per 2U.

I know of one bank here in the UK put in 6 racks of IP-650s to plumb
external services.

A complete waste of money.



greg

--
Konnt ihr mich horen?
Konnt ihr mich sehen?
Konnt ihr mich fuhlen?
Ich versteh euch nicht
!